Re: pf queue max bug

Atanas Vladimirov Sun, 21 Sep 2014 01:52:23 -0700

Hi,
Is there any way to disable/flush (like with ALTQ) pf queues?

I tryed with `pfctl -d; pfctl -e; pfctl -f /etc/pf.conf' but I got anerror:


pfctl: DIOCXCOMMIT: Invalid argument

The only reference I could find was this:

http://marc.info/?l=openbsd-tech&m=140421855720135&w=2

Is this a known behavior?
After this error the only way to load my rulesets was with reboot.

I still trying to figure out why my queues don't limit the maxbandwidth.

Thanks for your time.

----------------------
pf.conf
----------------------

### Interfaces ###
 ExtIf ="em0"
 IntIf ="vlan41"
 Free  ="vlan81"
 lo0   ="127.0.0.1"

### Hosts ###
 vl="192.168.1.2"
 jl="192.168.1.3"
 ve="192.168.1.4"
 ntp="192.168.1.5"
 rpi="192.168.1.7"
 dpc11="192.168.1.11"
 sam="192.168.1.16"
 cs_serv="10.10.10.254"
 mc_serv="10.10.10.253"
 mc_serv1="10.10.10.252"
 r2_serv="10.10.10.240"
 w7_rdc ="10.10.10.241"
 dpc21="192.168.1.21"

### Ports ###
 low_ports = "0:1023"
 hi_ports  = "1024:65535"

web = "{20, 21, 22, 25, 80, 443, 2222, 3389, 5900, 6000, 7777,8080 }"

 ssh_extif = "2222"
 rdc       = "3389"
 rdc_extif = "4910"
 rdc_r2    = "5511"
 rdc_w7    = "5522"
 squid     = "8080"
 squid_extif = "8080"
 vl_skype  = "30001"
 jl_skype  = "30002"
 ve_skype  = "30003"
 vl_torrent= "30004"
 jl_torrent= "30005"
 ve_torrent= "30006"
 vl_hfs    = "8081"
 ftp_proxy = "8021"
 symux     = "2100"
 ftp       = "21"
 vnc_ext   = "59001"
 vnc_int   = "5900"
 sftp      = "22222"
 l2tp      = "{ 500, 1701, 4500 }"
 mine      = "25565"
 mine1     = "25566"
 trace     = "33434:33498"
 cs16      = "27000:27018"
 q3        = "27960:27963"
 ventrilo  = "3784"

### Queues, States and Types ###
 IcmpType ="icmp-type 8 code 0"
 SynState ="flags S/SAFR synproxy state"

### Tables ###
  table <bgnets> file "/etc/bgnets"
  table <spamd-white> persist
  table <bgp-spamd-bypass> persist
  table <proxy-users> file "/etc/proxy_users"
  table <BLOCK> persist #{ 82.119.88.70 }

################ Options######################################################

### Misc Options
# set block-policy drop
 set loginterface $ExtIf
 set skip on { lo, enc0 }
# set optimization aggressive

set limit table-entries 400000 # Full list is 200k entries as of March1

# set state-defaults pflow

################ Queueing####################################################


 queue rootq on $ExtIf bandwidth 98M, max 99M
  queue inter parent rootq bandwidth 2M, max 3M
   queue i_ack     parent inter bandwidth 1M, min 900K
   queue i_dns     parent inter bandwidth 500K, min 400K
   queue i_ntp     parent inter bandwidth 300K, min 200K
   queue i_web     parent inter bandwidth 500K burst 2M for 10000ms
   queue i_bulk    parent inter bandwidth 170K
   queue i_bittor  parent inter bandwidth 30K, max 1400K default

  queue bg parent rootq bandwidth 39M, max 40M
   queue b_ack     parent bg bandwidth 15M, min 10M
   queue b_dns     parent bg bandwidth 1M, min 900K
   queue b_ntp     parent bg bandwidth 4M, min 3900K
   queue b_rdc     parent bg bandwidth 4M, min 3900K

queue b_web parent bg bandwidth 10M, min 9M burst 40M for 5000ms,max 37M

   queue b_bulk    parent bg bandwidth 5M, min 4M
   queue b_bittor  parent bg bandwidth 1M, max 2M

################ Translation and Filtering###################################


### BLOCK all in/out on all interfaces by default and log
 block return log on $ExtIf
 block return log on $IntIf
 block return log on $Free
 block quick  log on $ExtIf from <BLOCK>

### Network Address Translation (NAT with outgoing source portrandomization)

 match out log on egress from $IntIf:network \
        to any nat-to ($ExtIf:0)
 match out log on egress from $Free:network \
        to any nat-to ($ExtIf:0)
 match out log on egress from 192.168.3.0/24 \
        to any nat-to ($ExtIf:0)

### NAT from IntIf to FreeWifi
 match out log on $Free from $IntIf:network \
        to $Free:network nat-to ($Free:0)

### Packet normalization ( "scrubbing" )
 match log on $ExtIf all scrub (random-id max-mss 1440)

### Ftp ( secure ftp proxy for LAN )
 anchor "ftp-proxy/*"
 anchor vpn

### pppx
 pass log on pppx

 pass log proto esp set queue b_ack
# pass log proto gre set queue b_ack

### $ExtIf inbound ################

# npppd
  pass in log on $ExtIf proto {tcp, udp} from <bgnets> \
 to ($ExtIf) port $l2tp set queue b_dns

# dns nsd
  pass in log on $ExtIf inet proto {tcp, udp} from any \
 to ($ExtIf) port domain set queue i_dns
  pass in log on $ExtIf inet proto {tcp, udp} from <bgnets> \
 to ($ExtIf) port domain set queue b_dns

# OpenSSH
  pass in log on $ExtIf inet proto tcp from <bgnets> \
 to ($ExtIf) port $ssh_extif set queue b_ack rdr-to $lo0 port ssh

# OpenSMTPD
  pass in log quick on $ExtIf inet proto tcp from <bgp-spamd-bypass> \
 to ($ExtIf) port smtp set queue (i_web, i_ack) rdr-to lo0
  pass in log on $ExtIf inet proto tcp from any \
 to ($ExtIf) port smtp rdr-to lo0 port spamd
  pass in log on $ExtIf inet proto tcp from <spamd-white> \
 to ($ExtIf) port smtp set queue (i_web, i_ack) rdr-to lo0

# IMAPS/SMTPS
  pass in log on $ExtIf inet proto tcp from <bgnets> \
 to ($ExtIf) port {smtps, imaps} set queue (b_web, b_ack)

# Nginx
  pass in log on $ExtIf inet proto tcp from any \
 to ($ExtIf) port {www, https} set queue (i_web, i_ack) rdr-to $lo0
  pass in log on $ExtIf inet proto tcp from <bgnets> \
 to ($ExtIf) port {www, https} set queue (b_web, b_ack) rdr-to $lo0

# Ntpd ( time server )
  pass in log on $ExtIf inet proto udp from any \
 to ($ExtIf) port ntp set queue i_ntp
  pass in log on $ExtIf inet proto udp from <bgnets> \
 to ($ExtIf) port ntp set queue b_ntp

# RDC_BG
  pass in log on $ExtIf inet proto tcp from <bgnets> \
 to ($ExtIf) port $rdc_extif set queue b_rdc rdr-to $vl port $rdc
  pass in log on $ExtIf inet proto tcp from <bgnets> \
 to ($ExtIf) port $rdc_w7 set queue b_rdc rdr-to $w7_rdc port $rdc

# Counter Strike
#  pass in log on $ExtIf inet proto udp from <bgnets> \
# to ($ExtIf) port $cs16 set queue b_ack rdr-to $cs_serv

# MineCraft
  pass in log on $ExtIf inet proto tcp from <bgnets> \
 to ($ExtIf) port $mine set queue b_ack rdr-to $mc_serv
#  pass in log on $ExtIf inet proto tcp from <bgnets> \
# to ($ExtIf) port $mine1 set queue b_ack rdr-to $mc_serv1 port $mine

# Squid
  pass in log on $ExtIf inet proto tcp from <proxy-users> \
 to ($ExtIf) port $squid_extif set queue b_bulk rdr-to $lo0 port $squid

# Skype (queue INTER)
  pass in log on $ExtIf inet proto {tcp, udp} from any \
 to ($ExtIf) port $vl_skype set queue i_bulk rdr-to $vl
  pass in log on $ExtIf inet proto {tcp, udp} from any \
 to ($ExtIf) port $ve_skype set queue i_bulk rdr-to $ve

# Skype (queue BG)
  pass in log on $ExtIf inet proto {tcp, udp} from <bgnets> \
 to ($ExtIf) port $vl_skype set queue b_bulk rdr-to $vl
  pass in log on $ExtIf inet proto {tcp, udp} from <bgnets> \
 to ($ExtIf) port $ve_skype set queue b_bulk rdr-to $ve

# uTorrent (queue INTER)
  pass in log on $ExtIf inet proto {tcp, udp} from any \
 to ($ExtIf) port $vl_torrent set queue i_bittor rdr-to $vl
  pass in log on $ExtIf inet proto {tcp, udp} from any \
 to ($ExtIf) port $ve_torrent set queue i_bittor rdr-to $ve

# uTorrent (queue BG)
  pass in log on $ExtIf inet proto {tcp, udp} from <bgnets> \
 to ($ExtIf) port $vl_torrent set queue b_bittor rdr-to $vl
  pass in log on $ExtIf inet proto {tcp, udp} from <bgnets> \
 to ($ExtIf) port $ve_torrent set queue b_bittor rdr-to $ve

# HFS
  pass in log on $ExtIf inet proto tcp from <bgnets> \
 to ($ExtIf) port $vl_hfs set queue (b_web, b_ack) rdr-to $vl

# Ping
  pass in log on $ExtIf inet proto icmp from any \
 to ($ExtIf) $IcmpType set queue i_bulk
  pass in log on $ExtIf inet proto icmp from <bgnets> \
 to ($ExtIf) $IcmpType set queue b_bulk

### End $ExtIf inbound ###########

### $IntIf outbound ###########

# ntp.bsdbg.net
#  pass out log on $IntIf inet proto udp from any \
# to $ntp port ntp

# RDC
  pass out log on $IntIf inet proto tcp from any \
 to $vl port $rdc

# Counter Strike
  pass out log on $IntIf inet proto udp from any \
 to $cs_serv

# Skype
  pass out log on $IntIf inet proto {tcp, udp} from any \
 to $vl port $vl_skype
  pass out log on $IntIf inet proto {tcp, udp} from any \
 to $ve port $ve_skype

# uTorrent
  pass out log on $IntIf inet proto {tcp, udp} from any \
 to $vl port $vl_torrent
  pass out log on $IntIf inet proto {tcp, udp} from any \
 to $ve port $ve_torrent

# HFS
  pass out log on $IntIf inet proto tcp from <bgnets> \
 to $vl port $vl_hfs

# Allow self to reach Lan
  pass out log on $IntIf inet proto {tcp, udp, icmp} from (self) \
 to $IntIf:network

### End $IntIf outbound ###

### $Free outbound ###
# Allow self to reach FreeWifi
  pass out log on $Free inet proto {tcp, udp, icmp} from (self) \
 to $Free:network

### End $Free outbound ###

### $Free inbound ###
# Allow FreeWifi to access port www and https
  pass in log on $Free inet proto tcp from $Free:network \
 to !$IntIf:network port {www, https}

# Local DNS access for FreeWifi
  pass in log on $Free inet proto {tcp, udp} from $Free:network \
 to $Free port domain

### End $Free inbound ###

### $IntIf inbound ###############

# Allow all out

pass in log on $IntIf inet proto {tcp, udp, icmp} from $IntIf:network\

 to any

# Ftp-proxy
  pass in log on $IntIf inet proto tcp from $IntIf:network \
 to !$IntIf port $ftp divert-to $lo0 port $ftp_proxy

# Symux
 pass in log on $IntIf inet proto {tcp, udp} from $IntIf:network \
  to $IntIf port $symux

# Symux from mc
 pass in log on $IntIf inet proto {tcp, udp} from $mc_serv \
  to $IntIf port $symux

# RDC SSH
 pass in log on $IntIf inet proto tcp from $IntIf:network \
  to $IntIf port $rdc rdr-to $lo0

# Allow SamKnows to run it's tests
  pass in log on $IntIf inet proto {tcp, udp, icmp} from $sam \
 to any tag SAM

### End $IntIf inbound ###

### $ExtIf outbound ###

## TCP ##
# Queue default (i_bittor & b_bittor )
  pass out log on $ExtIf inet proto tcp from ($ExtIf) \
 to any port $hi_ports set queue(i_bittor, i_ack)
  pass out log on $ExtIf inet proto tcp from ($ExtIf) \
 to <bgnets> port $hi_ports set queue(b_bittor, b_ack)

# Queue bulk (i_bulk $ b_bulk )
  pass out log on $ExtIf inet proto tcp from ($ExtIf) \
 to any port $low_ports set queue(i_bulk, i_ack)
  pass out log on $ExtIf inet proto tcp from ($ExtIf) \
 to <bgnets> port $low_ports set queue (b_bulk, b_ack)

# Queue web (i_web $ b_web )
  pass out log on $ExtIf inet proto tcp from ($ExtIf) \
 to any port $web set queue(i_web, i_ack)
  pass out log on $ExtIf inet proto tcp from ($ExtIf) \
 to <bgnets> port $web set queue(b_web, b_ack)

# Queue ftp (i_web $ b_web )
  pass out log on $ExtIf inet proto tcp from (self) \
 to any tagged FTP set queue(i_web, i_ack)
  pass out log on $ExtIf inet proto tcp from (self) \
 to <bgnets> tagged FTP set queue(b_web, b_ack)

# Queue dns (i_dns & b_dns)
  pass out log on $ExtIf inet proto tcp from ($ExtIf) \
 to any port domain set queue(i_dns, i_ack)
  pass out log on $ExtIf inet proto tcp from ($ExtIf) \
 to <bgnets> port domain set queue(b_dns, b_ack)

## UDP ##
# Queue default (i_bittor & b_bittor)
  pass out log on $ExtIf inet proto udp from ($ExtIf) \
 to any port $hi_ports set queue i_bittor
  pass out log on $ExtIf inet proto udp from ($ExtIf) \
 to <bgnets> port $hi_ports set queue b_bittor

# Queue bulk (i_bulk & b_bulk)
  pass out log on $ExtIf inet proto udp from ($ExtIf) \
 to any port $low_ports set queue i_bulk
  pass out log on $ExtIf inet proto udp from ($ExtIf) \
 to <bgnets> port $low_ports set queue b_bulk

# Queue dns (i_dns & b_dns)
  pass out log on $ExtIf inet proto udp from ($ExtIf) \
 to any port domain set queue i_dns
  pass out log on $ExtIf inet proto udp from ($ExtIf) \
 to <bgnets> port domain set queue b_dns

# Queue ntp (i_ntp & b_ntp)
  pass out log on $ExtIf inet proto udp from ($ExtIf) \
 to any port ntp set queue i_ntp
  pass out log on $ExtIf inet proto udp from ($ExtIf) \
 to <bgnets> port ntp set queue b_ntp

# ICMP
  pass out log on $ExtIf inet proto icmp from ($ExtIf) \
 to any $IcmpType set queue i_web
  pass out log on $ExtIf inet proto icmp from ($ExtIf) \
 to <bgnets> $IcmpType set queue b_web

# Traceroute
  pass out log on $ExtIf inet proto udp from ($ExtIf) \
 to any port $trace set queue i_ntp
  pass out log on $ExtIf inet proto udp from ($ExtIf) \
 to <bgnets> port $trace set queue b_ntp

# CS
  pass out log on $ExtIf inet proto udp from ($ExtIf) \
 to any port $cs16 set queue i_ntp
  pass out log on $ExtIf inet proto udp from ($ExtIf) \
 to <bgnets> port $cs16 set queue b_ntp

# VPN isakmpd
  pass out log on $ExtIf inet proto udp from ($ExtIf) \
 to any port $l2tp set queue i_ntp
  pass out log on $ExtIf inet proto udp from ($ExtIf) \
 to <bgnets> port $l2tp set queue b_ntp

# SamKnows
  pass out log on $ExtIf inet proto {tcp, udp, icmp} from ($ExtIf) \
 to any set queue i_ack tagged SAM
  pass out log on $ExtIf inet proto {tcp, udp, icmp} from ($ExtIf) \
 to <bgnets> set queue b_ack tagged SAM

### End $ExtIf outbound ###########

Re: pf queue max bug

Reply via email to